Follow on X RSS Feed
Ransomware

SharpRhino Explained: Key Facts and How to Protect Your Data

Cybersec Sentinel

2 min read
SharpRhino Explained: Key Facts and How to Protect Your Data

Overview

Quorum Cyber's Incident Response team has discovered a new malware, SharpRhino, during a recent ransomware investigation. SharpRhino, attributed to the ransomware group Hunters International, functions as both an initial infection vector and a Remote Access Trojan (RAT). This malware exemplifies the sophisticated methods ransomware groups are employing to bypass security measures and gain unauthorized access to systems. Delivered via deceptive websites mimicking legitimate tools, SharpRhino establishes persistence on compromised devices, allowing attackers to maintain control and escalate their operations with minimal disruption. This development underscores the evolving threat landscape and the increasing complexity of cyber-attacks, necessitating robust and adaptive cybersecurity measures for organizations

Threat Actor Summary: Hunters International

Hunters International emerged as a Ransomware-as-a-Service (RaaS) provider in Q3 of 2023. It is the 10th most active ransomware group in 2024, attributed to similarities with the defunct Hive ransomware group. In 2024 alone, Hunters International claimed responsibility for 134 attacks. They exfiltrate data before encrypting files and demand ransom through TOR network chat portals. Their encryptor, written in Rust, appends ".locked" to files and is sophisticated in design​ (Quorum Cyber)​​ (BleepingComputer)​​ ​.

Targeting Profile

Hunters International employs an opportunistic targeting strategy, focusing on organizations across various sectors without prioritizing specific industries. However, there is a noticeable pattern in their attacks on IT workers and professionals. By leveraging typosquatting domains that impersonate legitimate IT tools, they exploit the trust and familiarity IT staff have with these utilities. Notably, Hunters International avoids targeting organizations within the Russian-influenced Commonwealth of Independent States (CIS), suggesting potential affiliations or sympathies towards Russian entities.

SharpRhino RAT Analysis

SharpRhino masquerades as Angry IP Scanner, delivered via typosquatting domains. The installer, an NSIS packed executable, includes a password-protected 7z archive. Upon execution, it establishes persistence by modifying the Run\UpdateWindowsKey registry, using a LOLBIN named Microsoft.AnyKey.exe to execute additional payloads. This malware utilizes PowerShell scripts to compile and execute C# code in-memory, enabling fileless malware operations.

Indicators of Compromise (IoCs)

Hashes (SHA256):

  • D2E7729C64C0DAC2309916CE95F6A8253CA7F3C7A2B92B452E7CFB69A601FBF6
  • 3F1443BE65525BD71D13341017E469C3E124E6F06B09AE4DA67FDEAA6B6C381F
  • 223AA5D93A00B41BF92935B00CB94BB2970C681FC44C9C75F245A236D617D9BB
  • 9A8967E9E5ED4ED99874BFED58DEA8FA7D12C53F7521370B8476D8783EBE5021
  • B57EC2EA899A92598E8EA492945F8F834DD9911CFF425ABF6D48C660E747D722
  • 09B5E780227CAA97A042BE17450EAD0242FD7F58F513158E26678C811D67E264

Domains:

  • cdn-server-1[.]xiren77418[.]workers[.]dev
  • cdn-server-2[.]wesoc40288[.]workers[.]dev
  • Angryipo[.]org
  • Angryipsca[.]com
  • ec2-3-145-180-193.us-east-2.compute[.]amazonaws[.]com
  • ec2-3-145-172-86.us-east-2.compute[.]amazonaws[.]com

Conclusion

The discovery of SharpRhino by Quorum Cyber highlights the advanced capabilities of modern ransomware groups like Hunters International. By targeting IT professionals through typosquatting domains, these attackers can leverage familiar tools to gain unauthorized access to systems. SharpRhino's use of sophisticated techniques, such as in-memory execution and PowerShell scripting, underscores the need for robust security measures and continuous monitoring. Organizations must remain vigilant and proactive in their cybersecurity efforts, employing adaptive strategies to counter the evolving threat landscape. For comprehensive insights and updates on Hunters International and other threats, visit Quorum Cyber's website and consult their detailed reports and resources.

Sources: